Allow direct uploads via API

This commit is contained in:
Stanko K.R.
2025-12-11 11:52:38 +01:00
parent dcdd8537af
commit 5ee10800a2
2 changed files with 82 additions and 0 deletions
+10
View File
@@ -35,6 +35,16 @@ module ActiveStorageControllerExtensions
end end
end end
module ActiveStorageDirectUploadsControllerExtensions
extend ActiveSupport::Concern
included do
include Authentication
skip_forgery_protection if: :authenticate_by_bearer_token
end
end
Rails.application.config.to_prepare do Rails.application.config.to_prepare do
ActiveStorage::BaseController.include ActiveStorageControllerExtensions ActiveStorage::BaseController.include ActiveStorageControllerExtensions
ActiveStorage::DirectUploadsController.include ActiveStorageDirectUploadsControllerExtensions
end end
@@ -0,0 +1,72 @@
require "test_helper"
class ActiveStorage::DirectUploadsControllerTest < ActionDispatch::IntegrationTest
setup do
@blob_params = {
blob: {
filename: "screenshot.png",
byte_size: 12345,
checksum: "GQ5SqLsM7ylnji0Wgd9wNC==",
content_type: "image/png"
}
}
end
test "create" do
sign_in_as :david
post rails_direct_uploads_path,
params: @blob_params,
headers: bearer_token_header(identity_access_tokens(:davids_api_token).token),
as: :json
assert_response :success
assert_includes response.parsed_body.keys, "direct_upload"
end
test "create with valid access token" do
post rails_direct_uploads_path,
params: @blob_params,
headers: bearer_token_header(identity_access_tokens(:davids_api_token).token),
as: :json
assert_response :success
assert_includes response.parsed_body.keys, "direct_upload"
end
test "create with read-only access token" do
post rails_direct_uploads_path,
params: @blob_params,
headers: bearer_token_header(identity_access_tokens(:jasons_api_token).token),
as: :json
assert_response :unauthorized
end
test "create with invalid access token" do
post rails_direct_uploads_path,
params: @blob_params,
headers: bearer_token_header("invalid_token"),
as: :json
assert_response :unauthorized
end
test "create unauthenticated" do
post rails_direct_uploads_path,
params: @blob_params.merge(authenticity_token: csrf_token),
as: :json
assert_response :redirect
end
private
def bearer_token_header(token)
{ "Authorization" => "Bearer #{token}" }
end
def csrf_token
get new_session_url
response.body[/name="csrf-token" content="([^"]+)"/, 1]
end
end